httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Stewart <>
Subject Re: another map_to_storage gotcha.
Date Fri, 14 Sep 2001 05:31:07 GMT
Slive, Joshua wrote:
> 1. (Important) As OtherBill has been trying to point out, <Location> is
> applied after <Directory>.  Therefore,
> if you put these things in <Location />, lots of things in <Directory> will
> fail to work.  People won't understand why
> this doesn't deny access to anything:
> <Location />
> Order allow,deny
> allow from all
> </Location>
> <Directory /path/to/really/secret/stuff>
> deny from all
> </Directory>

And, IMO, this is just plain wrong, and needs to be fixed.  It should 
never be possible for <Location> to override <Directory> with looser 
access restrictions, just as it should not be possible for <Directory> 
to override <Location> with looser permissions.  In both cases, access 
should be determined by the most restrictive specification for a given 
resource.  Doing anything else opens up lots of opportunities for 
accidental security holes and is just bad design.


View raw message